Vintegris, in its policy of continuous improvement and with the aim of guaranteeing the highest quality and security of the information processed in the provision of its services, has obtained ISO 27701 certification through AENOR . This standard is an extension of ISO 27001 and 27002, in security techniques for privacy protection management.
What does ISO 27701 require?
Certification to ISO 27701 requires that the entity be certified to ISO 27001, an information security management standard which together with ISO 27002 implies the prior existence in the organization of an information security management system based on risk management and continuous improvement of the system.
ISO 27701 extends the requirements of ISO 27001, taking into account the protection of personal data and establishing requirements for the organization, both in its role as controller and in its role as processor.
What does implementing and obtaining ISO 27701 certification entail?
Starting from the prior existence of a security management system (ISO 27001-ISO 27002), the organization must review its existing regulations, procedures and security measures, incorporating the concept or dimension of privacy, ensuring the adoption of the necessary measures to guarantee the maintenance of this in the processing of information, so that risks are considered not only from the point of view of security, but also of privacy in the processing of information handled by the organization. 
At Vintegris, the information security management system becomes the integrated security and privacy management system in the organization.
For Víntegris, ISO 27701 certification has not only meant a review of the requirements established in ISO 27001-27002 to incorporate the privacy dimension, but has also entailed compliance with additional requirements as a data controller, guaranteeing adherence to the measures required by the standard in the collection and processing of data, considering aspects such as:
- Defining the purpose of the treatments performed
- The legal basis for the processing
- The requirements for obtaining consent
- The privacy impact analysis involved in the processing of information
- The contractual regulation of the relationship with data processors
- The procedure for addressing rights
- Compliance with principles such as “privacy by design and by default”,
- Data quality, ensuring its updating and limitation in the processing carried out
- The deletion of data when its processing is complete
- Requirements for international data transfers, etc.
Likewise, certification under this standard guarantees compliance with the requirements established for proper performance as a data processor when providing our services to clients involves acting as data processors.
Obtaining this ISO 27701 certification adds to our previous certifications in ISO 27001 and in the National Security Scheme in the HIGH category, in our objective to provide our clients with services with the highest guarantees in information security and privacy, complying with recognized standards in these matters that are independently certified.
For Vintegris, it is also a guarantee of compliance with current data protection regulations, as the requirements demanded by ISO 27701 are aligned with the requirements established in the European General Data Protection Regulation (Regulation (EU) 2016/679).